Vulnerabilities > CVE-2007-2217 - Code Injection vulnerability in Kodak Image Viewer

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
microsoft
kodak
CWE-94
critical
nessus
exploit available

Summary

Kodak Image Viewer in Microsoft Windows 2000 SP4, and in some cases XP SP2 and Server 2003 SP1 and SP2, allows remote attackers to execute arbitrary code via crafted image files that trigger memory corruption, as demonstrated by a certain .tif (TIFF) file.

Vulnerable Configurations

Part Description Count
OS
Microsoft
4
Application
Kodak
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Exploit-Db

  • descriptionKodak Image Viewer TIF/TIFF Code Execution Exploit PoC (MS07-055). CVE-2007-2217. Local exploit for windows platform
    fileexploits/windows/local/4584.c
    idEDB-ID:4584
    last seen2016-01-31
    modified2007-10-29
    platformwindows
    port
    published2007-10-29
    reporterGil-Dong / Woo-Chi
    sourcehttps://www.exploit-db.com/download/4584/
    titleKodak Image Viewer - TIF/TIFF Code Execution Exploit PoC MS07-055
    typelocal
  • descriptionMicrosoft Internet Explorer TIF/TIFF Code Execution (MS07-055). CVE-2007-2217. Remote exploit for windows platform
    idEDB-ID:4616
    last seen2016-01-31
    modified2007-11-11
    published2007-11-11
    reportergrabarz
    sourcehttps://www.exploit-db.com/download/4616/
    titleMicrosoft Internet Explorer - TIF/TIFF Code Execution MS07-055

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS07-055.NASL
descriptionThe remote host is running a version of the Kodak Image Viewer that may allow arbitrary code to be run. An attacker may use this to execute arbitrary code on this host. To succeed, the attacker would have to send a rogue file to a user of the remote computer and have it open it with this application.
last seen2020-06-01
modified2020-06-02
plugin id26961
published2007-10-09
reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/26961
titleMS07-055: Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution (923810)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(26961);
 script_version("1.31");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id("CVE-2007-2217");
 script_bugtraq_id(25909);
 script_xref(name:"MSFT", value:"MS07-055");
 script_xref(name:"MSKB", value:"923810");
 
 script_xref(name:"IAVB", value:"2007-B-0029");
 script_xref(name:"CERT", value:"180345");
 script_xref(name:"EDB-ID", value:"4584");

 script_name(english:"MS07-055: Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution (923810)");
 script_summary(english:"Determines the version of Kodak Image Viewer");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through Kodak Image
Viewer.");
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of the Kodak Image Viewer that may
allow arbitrary code to be run.

An attacker may use this to execute arbitrary code on this host.

To succeed, the attacker would have to send a rogue file to a user of
the remote computer and have it open it with this application.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-055");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP and
2003.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');
 script_cwe_id(94);

 script_set_attribute(attribute:"vuln_publication_date", value:"2007/10/09");
 script_set_attribute(attribute:"patch_publication_date", value:"2008/10/09");
 script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/09");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_set_attribute(attribute:"stig_severity", value:"II");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");

 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}


include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS07-055';
kb = '923810';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'2', win2003:'1,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.2", sp:1, file:"tifflt.dll", version:"5.0.3900.7138", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.2", sp:2, file:"tifflt.dll", version:"5.0.3900.7139", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:2, file:"tifflt.dll", version:"5.0.3900.7136", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0",       file:"tifflt.dll", version:"5.0.3900.7134", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2014-06-30T04:05:10.676-04:00
classvulnerability
contributors
  • nameRobert L. Hollis
    organizationThreatGuard, Inc.
  • nameJosh Turpin
    organizationSymantec Corporation
  • nameMaria Mikhno
    organizationALTX-SOFT
  • nameMaria Mikhno
    organizationALTX-SOFT
definition_extensions
  • commentMicrosoft Windows 2000 SP4 or later is installed
    ovaloval:org.mitre.oval:def:229
  • commentMicrosoft Windows XP is installed
    ovaloval:org.mitre.oval:def:105
  • commentMicrosoft Windows Server 2003 is installed
    ovaloval:org.mitre.oval:def:128
descriptionKodak Image Viewer in Microsoft Windows 2000 SP4, and in some cases XP SP2 and Server 2003 SP1 and SP2, allows remote attackers to execute arbitrary code via crafted image files that trigger memory corruption, as demonstrated by a certain .tif (TIFF) file.
familywindows
idoval:org.mitre.oval:def:1481
statusaccepted
submitted2007-10-10T04:39:42
titleKodak Image Viewer Remote Code Execution Vulnerability
version27

Saint

bid25909
descriptionKodak Image Viewer TIFF image handling vulnerability
idwin_patch_kodakimg
osvdb37627
titlekodak_image_viewer_tiff
typeclient

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 25909 CVE(CAN) ID: CVE-2007-2217 Microsoft Windows是微软发布的非常流行的操作系统。 Windows中的柯达图像查看器处理特制图像文件的方式中存在内存破坏漏洞,远程攻击者可能利用此漏洞通过诱使用户处理畸形数据控制用户系统。 攻击者可以通过构建特制图像来利用此漏洞,如果用户访问网站、查看特制电子邮件或者打开电子邮件附件,该漏洞可能允许远程执行指令。成功利用此漏洞的攻击者可以完全控制受影响的系统。 Microsoft Windows XP SP2 Microsoft Windows Server 2003 SP2 Microsoft Windows Server 2003 SP1 Microsoft Windows 2000SP4 临时解决方法: * 以纯文本格式阅读电子邮件可帮助保护您自己免受来自HTML电子邮件攻击媒介的攻击。 * 修改oieng400.dll上的访问控制列表: 1. 以拥有管理员特权的用户身份登录。 2. 单击“开始”,单击“运行”,键入cmd,然后单击“确定”。 3. 记下文件上的当前 ACL(包括继承设置),以便将来必须撤消此修改时作为参考。要查看ACL,请键入以下内容: cacls “C:\winnt\system32\oieng400.dll” 4. 要拒绝“everyone”组访问该文件,请在命令提示符处键入以下内容: cacls “C:\winnt\system32\oieng400.dll” /E /D Everyone 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS07-055)以及相应补丁: MS07-055:Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution (923810) 链接:<a href="http://www.microsoft.com/technet/security/Bulletin/MS07-055.mspx?pf=true" target="_blank">http://www.microsoft.com/technet/security/Bulletin/MS07-055.mspx?pf=true</a>
idSSV:2285
last seen2017-11-19
modified2007-10-12
published2007-10-12
reporterRoot
titleMicrosoft Windows柯达图像查看器远程代码执行漏洞(MS07-055)